GENERATORS OF JACOBIANS OF GENUS TWO CURVES 
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Abstract. We prove that in most cases relevant to cryptography, the Fro- 
benius endomorphism on the Jacobian of a genus two curve is represented 
by a diagonal matrix with respect to an appropriate basis of the subgroup of 
^-torsion points. Prom this fact we get an explicit description of the Weil- 
pairing on the subgroup of £-torsion points. Finally, the explicit description of 
the Weil-pairing provides us with an efficient, probabilistic algorithm to find 
generators of the subgroup of £-torsion points on the Jacobian of a genus two 
curve. 



1. Introduction 

In [9], Koblitz described how to use elliptic curves to construct a public key cryp- 
tosystem. To get a more general class of curves, and possibly larger group orders, 
Koblitz [10] then proposed using Jacobians of hyperelliptic curves. After Boneh and 
Franklin [1] proposed an identity based cryptosystem by using the Weil-pairing on 
an elliptic curve, pairings have been of great interest to cryptography [5j. The next 
natural step was to consider pairings on Jacobians of hyperelliptic curves. Gal- 
braith et al |6j survey the recent research on pairings on Jacobians of hyperelliptic 
curves. 

Miller [TJ] uses the Weil-pairing to determine generators of E(¥ q ), where E 
is an elliptic curve defined over a finite field ¥ q . Let 3 c be the Jacobian of 
a genus two curve defined over ¥ q . In [14], the author describes an algorithm 
based on the Tate-pairing to determine generators of the subgroup 3c(^q)[m] of 
points of order m on the Jacobian, where m is a number dividing q — 1. The 
key ingredient of the algorithm is a "diagonalization" of a set of randomly chosen 
points {Pi, . . . , Pa, Qi, ■ ■ ■ , Qa\ on the Jacobian with respect to the (reduced) Tate- 
pairing e; i.e. a modification of the set such that e(Pi,Qj) ^ 1 if and only if i = j. 
This procedure is based on solving the discrete logarithm problem in 3c (^q)[ m ]- 
Contrary to the special case when m divides q — 1, this is infeasible in general. 
Hence, in general the algorithm in [14] does not apply. 

In the present paper, we generalize the algorithm in [14J to subgroups of points 
of prime order £, where i does not divide q — 1. In order to do so, we must somehow 
alter the diagonalization step. We show and exploit the fact that the g-power 
Frobenius endomorphism on 3c has a diagonal representation on 3c Hereby, 
computations of discrete logarithms are avoided, yielding the desired altering of 
the diagonalization step. 
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Setup. Consider a genus two curve C denned over a finite field F g . Let I be an odd 
prime number dividing the number of F^-rational points on the Jacobian 3c, and 
with I dividing neither q nor q— 1. Assume that the F g -rational subgroup 3c(F g )[£] 
of points on the Jacobian of order I is cyclic. Let k be the multiplicative order 
of q modulo I. Write the characteristic polynomial of the g^-power Frobenius 
endomorphism on 3c as 

P k (X) = A 4 + 2o k X z + (2q k + 4- T k )X 2 + 2a k q k X + q 2k , 

where 2a k ,Ar k S Z. Let oj k G C be a root of P k (X). Finally, if £ divides Ar k , we 
assume that I is unramified in Q(u> k ). 

Remark. Notice that in most cases relevant to cryptography, the considered genus 
two curve C fulfills these assumptions. Cf. Remark 171 and [T4l 

The algorithm. First of all, we notice that in the above setup, the g-power Frobe- 
nius endomorphism ip on 3c can be represented on 3c [£] by a diagonal matrix with 
respect to an appropriate basis 23 of 3c[i]', cf. Theorem [TTJ (In fact, to show this we 
do not need the F 9 -rational subgroup #c(F 9 )[^] of points on the Jacobian of order I 
to be cyclic.) From this observation it follows that all non-degenerate, bilinear, 
anti-symmetric and Galois- invariant pairings on 3c [£} are given by the matrices 



£a,fc — 



a 

-a 

6 

0-60 



a, be (Z/£Z) X 



with respect to 23; cf. Theorem Q21 By using this description of the pairing, the 
desired algorithm is given as follows. 

Algorithm 17. On input the considered curve C, the numbers £, q, k and r k and a 
number n € N ; the following algorithm outputs a generating set of3c[£] or "failure". 

(1) If £ does not divide Ar k , then do the following. 

(a) Choose points O^^e dci^gW], x 2 € 0c(F g *)M\0c(F g )^] and x' 3 € 
U := 3c[£}\dc(V q *)[£}; compute x 3 = x' 3 -^ k (x' 3 ). Ife(x 3 , <p(x 3 )) + 1, 
then output {x\, X2, x 3 , ip(xs)} and stop. 

(b) Let i = j = 0. While i < n do the following 

(i) Choose a random point X4 G U. 

(ii) i:=i+l. 

(iii) // e(x 3 , X4) — 1, then i := i + 1. Else i :— n and j := 1. 

(c) If j — then output "failure". Else output {x\, xi, x 3 , X4}. 

(2) If £ divides 4T k , then do the following. 

(a) Choose a random point 7^ x\ e ^cCFq)^] 

(b) Let i = j = 0. While i < n do the following 

(i) Choose random points j/3,j/4 G 3c[£]; compute x v :— q{y u — 

<p(y»)) - <p{y v - <p(y»)) for v = 3,4. 

(ii) If e(x3, X4) — 1 then i :=i + 1. Else i :— n and j := 1. 

( c ) V j = then output "failure" and stop. 

(d) Let i = j = 0. While i < n do the following 

(i) Choose a random point X2 £ 3c[£]- 

(ii) // e(x±, x-i) — 1 then i := i + 1. Else i := n and j := 1. 

(e) If j = then output "failure". Else output {xi, X2, x 3 , X4} and stop. 
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Algorithm fl7l finds generators of 3c[£\ with probability at least (1 — 1 /i") 2 and 
in expected running time 0(log£); cf. Theorem [181 

Remark. To implement Algorithm [T71 we need to find a q k - Weil number (cf. Defi- 
nition [2]). On Jacobians generated by the complex multiplication method \17\ l7j 15]. 
we know the Weil numbers in advance. Hence, Algorithm [17] is particularly well 
suited for such Jacobians. 

Assumption. In this paper, a curve is an irreducible nonsingular projective variety 
of dimension one. 

2. Genus two curves 

A hyperelliptic curve is a projective curve C C P™ of genus at least two with a 
separable, degree two morphism <f> '■ C — > P . It is well known, that any genus two 
curve is hyperelliptic. Throughout this paper, let C be a curve of genus two defined 
over a finite field ¥ q of characteristic p. By the Riemann-Roch Theorem there exists 
a birational map ip : C — > P 2 , mapping C to a curve given by an equation of the 
form 

y 2 + g( x )y = h(x), 

where g,h <G V q [x] are of degree deg(g) < 3 and deg(h) < 6; cf. [2| chapter 1]. 

The set of principal divisors 7(C) on C constitutes a subgroup of the degree zero 
divisors Divo(C). The Jacobian 3 c of C is defined as the quotient 

ac=Divo(C)/?(C). 

The Jacobian is an abelian group. We write the group law additively, and denote 
the zero element of the Jacobian by 0. 

Let £ 7^ p be a prime number. The ^"-torsion subgroup 3c \^ n \ Q 3c of points of 
order dividing £ n is a Z/£ ra Z-module of rank four, i.e. 

3 c [i n ] - z/rz x z/rz x z/rz x z/rz ; 

cf. dU Theorem 6, p. 109]. 

The multiplicative order k of q modulo i plays an important role in cryptography, 
since the (reduced) Tate-pairing is non-degenerate over F q k; cf. [8]. 

Definition 1 (Embedding degree). Consider a prime number £ ^ p dividing the 
number of F g -rational points on the Jacobian 3c- The embedding degree of 3c 
with respect to £ is the least number k, such that q k = 1 (mod £). 

3. The Frobenius endomorphism 

Since C is defined over ¥ q , the mapping (x,y) *—>■ (x q .y q ) is a morphism on C. 
This morphism induces the g-power Frobenius endomorphism ip on the Jacobian 3c- 
Let P(X) be the characteristic polynomial of ip; cf. fTl] pp. 109-110]. P(X) is called 
the Weil polynomial oi3c, and 

IMF,)| = P(1) 

by the definition of P(X) (see [HI pp. 109-110]); i.e. the number of F 9 -rational 
points on the Jacobian is P(l). 

Definition 2 (Weil number). Let notation be as above. Let Pk(X) be the charac- 
teristic polynomial of the g m -power Frobenius endomorphism ip m on 3c- A complex 
number uj m G C with P m (uj m ) = is called a q m -Weil number of 3c- 
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Remark 3. Note that 8c has four g m -Weil numbers. If P\{X) = H^X - w;), then 
P m (X) = l\ t {X-uj™). Hence, if w is a q- Weil number of 3c, then w m is a g" l -Weil 
number of 3c- 

A. Non-cyclic subgroups 

Consider a genus two curve C defined over a finite field ¥ q . Let P m (X) be 
the characteristic polynomial of the g m -power Frobenius endomorphism <p m on the 
Jacobian 3c- P m {X) is of the form P m {X) = X 4 + sX 3 + tX 2 + sq m X + q 2m , 
where s,t£Z. Let a = § and r = 2q m + a 2 - t. Then 

P m (X) = X 4 + 2<tX 3 + (2g m + a 2 - t)X 2 + 2aq m X + q 2m , 

and 2a, At g Z. In [15], the author proves the following Theorem |4] and 

Theorem 4. Consider a genus two curve C defined over a finite field ¥ q . Write 
the characteristic polynomial of the q m -power Frobenius endomorphism on the Jaco- 
bian 3c asP m {X) = X 4 +2aX 3 +(2q m +a 2 -T)X 2 +2aq m X+q 2n \ where 2cr, 4t S Z. 
Lei^ 6e an odd prime number dividing the number of ¥ q -rational points on 3c, and 
with i\q and £ ] q - 1 . If I \ At , then 

(1) 3c(^9™)[^] is of rank at most two as a Z/ 1 tTL-module, and 

(2) 3c (¥ q m ) [£] is bicyclic if and only if £ divides q m — 1. 

Theorem 5. Lei notation be as in Theorem^ Furthermore, let uj m be a q m -Weil 
number of 3c, and assume that £ is unramified in Q(u> m ). Now assume that £ | At. 
Then the following holds. 

(1) Ifuj m S Z, then £ \ q m - 1 and 3c[£] Q M^V")- 

(2) Ifu> m £ Z, then£\q m - 1, 3c{¥ q ™)[£] a (Z/£Z) 2 and 3c\l\ Q 3c{¥ qmk ) if 
and only if £ \ q mk — 1. 

Inspired by Theorem |4] and [5] we introduce the following notation. 

Definition 6. Consider a curve C with Jacobian 3c- We call C a G(£,q,k,Tk)- 
curve, and write C € C(£,q,k,Tk), if the following holds. 

(1) C is of genus two and defined over the finite field ¥ q . 

(2) £ is an odd prime number dividing the number of F 9 -rational points on 3c, 
£ divides neither q nor q — 1, and 3c (¥ q ) is of embedding degree k with 
respect to £. 

(3) The characteristic polynomial of the q k -power Frobenius endomorphism 
on 3c is given by P k (X) = X 4 + 2a k X 3 + (2q k + a 2 - T k )X 2 + 2a k q k X + q 2k , 
where 2a k ,AT k e Z. 

(4) Let bJk be a g fc -Weil number of 3c- If £ divides Ar k , then £ is unramified 
in Q(co fe ). 

Remark 7. Since £ is ramified in Q(wfc) if and only if £ divides the discriminant 
of Q(wfe), £ is unramified in Q(u>k) with probability approximately 1 — 1 /e. Hence, 
in most cases relevant to cryptography a genus two curve C is a G(£, q, k, Tfc)-curve. 

5. Matrix representation of the Frobenius endomorphism 

An endomorphism ip : 3c — ► 3c induces a linear map ^ : 3c[£] —> 3c[£] by 
restriction. Hence, V is represented by a matrix M G Mat4(Z/£Z) on 3c[^]- If ^ 
can be represented on 3c[£] by a diagonal matrix with respect to an appropriate 
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basis of 8c [$] , then we say that ip is diagonalizable or has a diagonal representation 
on0 c [4 

Let / S Z[X] be the characteristic polynomial of ip (see jlll pp. 109-110]), 
and let / € (Z/£Z)[X] be the characteristic polynomial of ip. Then / is a monic 
polynomial of degree four, and by [TTl Theorem 3, p. 186], 

f(X) = f(X) (modi). 

We wish to show that in most cases, the g-power Frobenius endomorphism <p is 
diagonalizable on 3c [£]■ To do this, we need to describe the matrix representation 
in the case when tp is not diagonalizable on 3c [£] ■ 

Lemma 8. Consider a curve C € G(£,q,k,Tk). Let ip be the q-power Frobenius 
endomorphism on the Jacobian 8c- If f is not diagonalizable on 3c[^\, then if is 
represented on 3c[£] by a matrix of the form 

"1 " 



1 c _ 
with respect to an appropriate basis of 3c [£] ■ 

Proof. Let Pk € (Z/£Z)[X] be the characteristic polynomial of the restriction of 
the <7 fe -power Frobenius endomorphism (pk to 3c[£\- Since £ divides the number of 
F g -rational points on 3c, 1 is a root of Pk . Assume that 1 is an root of Pk with 
multiplicity v. Then 

p k {x) = {x-i)»Q k {x), 

where Qk & (Z/£Z)[A] is a polynomial of degree 4 — v, and Qfc(l) ^ 0. Since the 
roots of Pk occur in pairs (a, 1/a), v is an even number. Let Uk = ker(ipk — 1)" 
and Wk = ker(Qfc((/5fe)). Then Uk and Wk are (^-invariant submodules of the 
Z/«-module 0c [4 rank z/ffi ([/ fc ) = v, and 3c[£] ~U k ®W k . 

Assume at first that £ does not divide 4rfc. Then 0c(Fg)[^] is cyclic and 0c(F g fe)[^] 
bicyclic; cf. Theorem|H By [HI Theorem 3.1], v = 2. Choose points xi,X2 S 3c[£], 
such that <p{xi) — x\ and f(x2) — qx2- Then {xi, X2} is a basis of 3c (F g fc ) [£] ■ Now, 
let {£3,3:4} be a basis of Wk, and consider the basis 23 = {x\, X2, £3, X4} of 3c[£]- 
If xz and X4 are eigenvectors of ifk, then ipk is represented by a diagonal matrix 
on 8c [£] with respect to 23. Assume x% is not an eigenvector of Then 23' = 
{x 1 ,X2,x 3 ,<pk(x 3 )} is a basis of 3c [£], and fk is represented by a matrix of the 
form ([I]). 

Now, assume I divides 4rfe. Since I divides q k — 1, it follows that 3c[£] Q 3c (^q k )', 
cf. Theorem[5j Let P G (Z/£Z)[A] be the characteristic polynomial of the restriction 
of ip to 3c[£]- Since £ divides the number of F g -rational points on 3c, 1 is a root 
of P. Assume that 1 is an root of P with multiplicity v. Since the roots of P occur 
in pairs (a, q/a), it follows that 

P(X) = {X-l)"(X-qyQ(X), 

where Q £ (Z/£Z)[X] is a polynomial of degree 4 — 2z^, Q(l) ^ and Q(q) ^ 0. Let 
£/ = ker(<£ - 1)", V = kcr(V - q) v and W = ker(Q(<p)). Then [7, V and W are </?- 
invariant submodules of the Z/ffl-module 3c[£], ^'^■L/aiU) = rank z /£ Z (V) = u, 
and 8c[£] — U © V © W. If ^ = 1, then it follows as above that <p is either 
diagonalizable on 8c [£] or represented by a matrix of the form ([!]) with respect to 
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some basis of 3c [£]■■ Hence, we may assume that v = 2. Now choose x\ £ U, such 
that <p(xi) = x\, and expand this to a basis (a; 1,3:2) of U. Similarly, choose a basis 
(X3, X4) of V with (p(x3) = (7x3. With respect to the basis 15 = {x±, x%, X3, X4}, tp is 
represented by a matrix of the form 



M = 



1 a 

10 

q (3 

q 



Notice that 



M 



kot 
1 








kq^fi 
1 



Since dc[£] Q 3c (FgO; we know that tp k = tpk is the identity on 3c[£\- Hence, 
M k = I. So a = (3 = (mod I), i.e. ip is represented by a diagonal matrix with 
respect to S. □ 

The next step is to determine when the Weil polynomial splits modulo I. 

Lemma 9. Consider a curve C £ Q(£,q,k,Tk). Let tp be the q-power Frobenius 
endomorphism on the Jacobian 3c- Assume that ip is not diagonalizable on 3c[i], 
and let tp be represented on 3c[P\ by the matrix 



M 



1 ' 

q 

-q 

1c 



with respect to an appropriate basis of3c[P\ ■ Let P n (X) be the characteristic polyno- 
mial of the q n -power Frobenius endomorphism on 3c- Then P n (X) splits modulo £ 
if and only if c 2 — Aq is a quadratic residue modulo £. In particular, if P n (X) splits 
modulo £ for some n £ N, then P n (X) splits modulo £ for any neN. 

Proof. Let Mi = [J ~ 9 ] , and write 



M" = 



m 2 i to 2 2 



Since MfMi = M\M™ , it follows that m\i = —qm<i\ and 11122 — mu + cm^i. But 
then P n [X) = (X-1)(X- q n )F n (X) (mod £), where 

F n {X) = X 2 — (2mu + ciri2i)X + m\i + qm\ x + cmumzx (mod I). 

The discriminant of F n (X) is given by A = (c 2 ~Aq)m\i (mod £); hence the lemma. 

□ 

Theorem 10. The Weil polynomial of the Jacobian 3c of a curve C £ G(£, q, k, Tk) 
splits modulo £. 

Proof. For some n£N, 3c[£] C 3c(F 9 «). But then tp n acts as the identity on 3c[£], 
i.e. P n (X) = (X — l) 4 (mod £). In particular, P n (X) splits modulo £. But then 
P{X) splits modulo £ by LemmaH □ 
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We are now ready to prove the desired result. 



Theorem 11. The q-power Frobenius endomorphism on the Jacobian 3 c of a 
curve C £ G(£,q,k,Tk) is diagonalizable on 3c[£]- 

Proof. Cf. Theorem [TUl we may write the Weil polynomial of 3c as 

P{X) = {X-l){X- q){X -a){X- q/a) (mod £). 
If a ^ l,q,q/a (mod £), then the theorem follows. If a = l,q (mod £), then 

P(X) = (X - if(X-q) 2 (mod J?); 

in this case, the theorem follows by the last part of the proof of Lemma [8l 

Assume that a = q/a (mod £), i.e. that a 2 = q (mod £). Then the g-power 
Frobenius endomorphism is represented on 3c [P\ by a matrix of the form 



M = 



1 0' 

q 

a (3 

a 



with respect to an appropriate basis of 3c [£} ■ Notice that 



M 



2k 



1 

1 

1 








2ka 2k ~ 1 (3 
1 



Thus, P 2k {X) = (X-l) 4 (mod I). By TheoremEl it follows that 3c[£] Q M F 9 2 <0- 
But then M 2k = I, i.e. /3 = (mod I). Hence, the g-power Frobenius endomor- 
phism on 3c is diagonalizable on 3c [£] also in this case. The theorem is proved. □ 



6. Anti-symmetric pairings on the Jacobian 
On 3c [£], a non-degenerate, bilinear, anti-symmetric and Galois-invariant pairing 

e:3c[£]y-3c[£]^^ = {0^^- 

exists, e.g. the Weil-pairing. Here, pn is the group of £ tli roots of unity. Since e is 
bilinear, it is given by 

e(x,y) = C T£y , 

for some matrix £ S Mat4(Z/€Z) with respect to a basis 13 = {xi, £3, £4} 
of 3c [£]■ Let <p denote the g-power Frobenius endomorphism on 3c- Since s is 
Galois-invariant, 



This is equivalent to 

Vx,yedc[e\ ■■q(x T Zy) 



= £{v{x),v{y))- 

= (Mx) T £(My), 



8 



C.R. RAVNSH0J 



where M is the matrix representation of ip on 3 c [&\ with respect to 23. Since 
(Mx) T £,(My) = x T M T ZMy, it follows that 

Vx,y e 3c[i] ■ x T qEy = x T M T EMy, 

or equivalently, that g£ = M T £M. 

Now, let e(xi,Xj) — Q ai i . By anti-symmetry, 





-an 
-am 
-au 



ai2 


-023 
-024 



«13 014 

023 024 

a 34 
-a 34 



Assume that tp is represented by a diagonal matrix diag(l, q, a, q/a) with respect 
to 23. Then it follows from M T IM = q£, that 



013(0 — g) = ou(a - 1) 
Ifa=l,g (mod £), then 3cQ? q )\ 



023(0: — 1) = 024(0 — q) = (mod f). 

is bi-cyclic. Hence the following theorem holds. 



Theorem 12. Consider a curve C £ C(£,q,k,Tk). Let tp be the q-power Frobenius 
endomorphism on the Jacobian 3c- Now choose a basis 23 of 3c[£], such that ip 
is represented by a diagonal matrix diag(l, q, a, q/a) with respect to 23. // the ¥ q - 
rational subgroup 3c(^q)[@\ of points on the Jacobian of order I is cyclic, then all 
non-degenerate, bilinear, anti- symmetric and Galois-invariant pairings on3c[P\ are 
given by the matrices 



£a,fc — 



a 

-a 

6 

0-60 



a, be (z/ezy 



with respect to 23. 



Remark 13. Let notation and assumptions be as in Theorem [HI Let e be a non- 
degenerate, bilinear, anti-symmetric and Galois-invariant pairing on 3c[£], and let e 
be given by £ a ,h with respect to a basis {xi, x%, X3, X4} of 3c[(]- Then e is given 
by £1,1 with respect to {a^xi, x%, 6~ 1 a;3, X4}. 

Remark 14. In most cases relevant to cryptography, we consider a prime divisor £ 
of size q 2 . Assume £ is of size q 2 . Then I divides neither q nor q — 1. The number 
of Fq-rational points on the Jacobian is approximately q 2 . Thus, dcffiq)[£\ is cyclic 
in most cases relevant to cryptography. 



7. Generators of 3c[t] 

Consider a curve C £ C(£,q,k,Tk) with Jacobian 3c- Assume the F 9 -rational 
subgroup 3c(F g )[^] of points on the Jacobian of order £ is cyclic. Let <p be the 
o-power Frobenius endomorphism on 3c- Let £ be a non-degenerate, bilinear, anti- 
symmetric and Galois-invariant pairing 

e:3c[i}x3c[i}^ Hi=(0 
We consider the cases £ \ Atj~ and £ \ Ar^ separately. 
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7.1. The case £ \ 4r fc . If I does not divide 4r fe , then 3c^ q <*)\£\ is bicyclic; cf. Theo- 
rem [H Choose a random point ^ x\ € 3c(^q)[£], and expand {xi} to a basis 
{xi,y 2 } of 3c(F q *M, where tpfa) = qy 2 . Let x> 2 e 3c(F g <0M \ 3c(F g )0 be a 
random point. Write x 2 = aixi + 0:22/2- Then 

x 2 = 4 ~ <^(4) = a 2 (l - (7)2/2 € (y 2 ), 

i.e. <^(a; 2 ) = 92:2. Now, let 3c[£] — 3c(^ q k )[£) © W, where W is a (/^-invariant 
submodule of rank two. Choose a random point x' 3 € 3c[£] \ 2c (F g * ) [£] ■ Then 

x 3 = x' 3 -<p k (x' 3 ) £ W 

as above. Notice that 

3 c [l] = (xi,x 2 ,x 3 ,ip(x 3 )) if and only if e(x 3 , tp(x 3 )) ^ 1; 

cf. Theorem [H 

Assume e(x3,ip(x 3 )) — 1. Then X3 is an eigenvector of (p. Expand {x\,x 2 ,x 3 } 
to a basis 23 = {x±, x 2l x 3 , x 4 } of 3c[£], such that <p is represented by a diagonal 
matrix on 3c[£] with respect to 23. We may assume that e is given by £1,1 with 
respect to 23; cf. Remark [131 

Now, choose a random point a; <G 3c [^] \ 3c(F 9 k)KI- Write a; = aiXi + «2^2 + 
03X3 -I- 04X4. Then e(x 3 ,x) = £" 4 . So £(2:3,0;) ^ 1 if and only if £ does not 
divide 014- On the other hand, {xi,x 2 ,x 3 ,x} is a basis of 3c[£] if and only £ does 
not divide 0:4. Hence, {x\, x 2 , x 3 , x} is a basis of 3c[£] if and only if £ does not 
divide 0-4 . Thus, if £ does not divide 4rk, then the following Algorithm [151 outputs 
generators of 3c M with probability 1 — 1 /e n . 

Algorithm 15. The following algorithm takes as input a Q{£, q, k, Tk)-curve C, the 
numbers £, q, k and and a number iieN, 

(1) Choose points ^ Xl € 3c(V q )[£], x 2 e 8c(Fq>M\8c(F 9 )[t\ and x' 3 e 
t/ := 3cM \ 3c(F 9 OM; com^e x 3 = x> 3 - <f k (x' 3 ). If e(x 3 , <p(x 3 )) + I, 
then output {x\, x 2 , x 3 , ip(x 3 )} and stop. 

(2) Let i = j = 0, While i < n do the following 

(a) Choose a random point 14 £ (7. 

(b) i:=i + l. 

(c) If e(x 3 , x±) = 1, then i := i + 1. Else i := n and j := 1. 

(3) If j = then output "failure". Else output {xi, x 2 , £3, £4}. 

7.2. The case £ | 4r fe . Assume £ divides 4r fc . Then 3c M Q 3c (V); cf. Theo- 
rem [H Choose a random point ^ 11 G 3c(F 9 )[£], and let 2/2 € 3c M be a point 
with <p{y 2 ) — qy 2 . Write 8c[P\ — ( x i,y 2 ) ®W, where W is a (^-invariant submodule 
of rank two; cf. the proof of Lemma [HI Let {2/3,2/4} be a basis of W, such that ip 
is represented on 3c[^] by a diagonal matrix M = diag(l, g, a, q/a) on 3c[^] with 
respect to the basis 



23 = {xi, 2/2, 2/3, 2/4}- 
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Now, choose a random point z £ 3c[£] \ 3c(^q)[i]- Since z — ip(z) £ (2/2,2/3,2/4), 
we may assume that z £ (2/2,2/3,2/4)- Write z = 022/2 + "32/3 + "42/4- Then 

qz - tp(z) = a 2 qy 2 + "3(72/3 + "492/4 - ("2(72/2 + "3«2/3 + "^(g/oOs/i) 
= a 3 (q - a)y 3 + a^q - qjoL)y^ 

so qz — ip(z) £ (2/3,2/4)- If (7 Z — = 0, then it follows that q = 1 (mod £). This 
contradicts the choice of the curve C S C(£, g, fc, t^). Hence, we have a procedure 
to choose a point O/106 Vl^. 

Choose two random points u>i, W2 £ W. Write = 0^32/3 + "i42/4 for i = 1,2. 
We may assume that e is given by £1,1 with respect to 23; cf. Remark [131 But then 

e{w ll w 2 ) = C Q13Q24 " Q14Q23 . 

Hence, e(wi, w 2 ) = 1 if and only if "130124 = "i4"23 (mod /?). If "13 ^ (mod £), 
then e(wi,W2) = 1 if and only if "24 = ai ^° 23 (mod £). So e(w;i,W2) 7^ 1 with 
probability 1 — 1 /e. Hence, we have a procedure to find a basis of W. 

Until now, we have found points x\ £ 3c{^q)[£] and w 3 ,W4 £ W, such that 
W = (w 3 ,W4). Now, choose a random point x 2 £ 3c[£\- Write x 2 = a\X\ + a 2 y 2 + 
"32/3 + "42/4- Then e(x±, x 2 ) = £ Q2 , i.e. e{x\, x 2 ) — 1 if and only if a 2 = (mod £). 
Thus, with probability 1 — e " /i 4 = 1 — the set {x\, x 2 , w 3l W4} is a basis of 3c[£}- 

Summing up, if £ divides 4rfc, then the following Algorithm[l5]outputs generators 
of 3c[£\ with probability (1 - V*?") 2 . 

Algorithm 16. The following algorithm takes as input a Q{£, q, fc, Tk)-curve C, the 
numbers I, q, k and Tk and a number n £ N. 

(1) Choose a random point 7^ x\ £ 3c^q)\$\ 

(2) Let i = j = 0. While i < n do the following 

(a) Choose random points 2/3, 2/4 S 3c[£]; compute x v := q{y v — f(y v )) — 
v(Vv ~ <p(y*)) for v = 3,4. 

(b) If e(x 3 , X4) — 1 then i := i + 1. Else i := n and j := 1. 

(3) If j = then output "failure" and stop. 

(4) Let i — j — 0. While i < n do the following 

(a) Choose a random point x 2 £ 3c [£} ■ 

(b) // s(xi, x 2 ) = 1 then i := i + 1. Else i :— n and j := 1. 

(5) ^fj = i/ien output "failure". Else output {x±, X2, X3, X4}. 

7.3. The complete algorithm. Combining Algorithm [15] and [16] yields the de- 
sired algorithm to find generators of 3c [C] ■ 

Algorithm 17. The following algorithm takes as input a G(£, q, k, Tk)-curve C, the 
numbers £, q, k and Tk and a number n £N. 

(1) If£\rk, run Alaorithm\TE\ on input (C. £. a. k. n.n). 

(2) If £ I Tk, run Algorithm\JM on input {C,£,q,k,Tk,n). 

Theorem 18. Let C be a C^^qjk^T^-curve. On input {C,£,Tk,n), AlaorithmYFS 
outputs generators of 3c[£] with probability at least (1 — 1 /r) 2 and in expected run- 
ning time 0(\og£). 

Proof. We may assume that the time necessary to perform an addition of two 
points on the Jacobian, to multiply a point with a number or to evaluate the q- 
power Frobenius endomorphism on the Jacobian is small compared to the time 
necessary to compute the (Weil-) pairing of two points on the Jacobian. By [4], 
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the pairing can be evaluated in time 0(log£). Hence, the expected running time of 
Algorithm fl7l is of size O(logl). □ 

8. Implementation issues 

A priori, to implement Algorithm \T7\ we need to find a q k -Wei\ number ui k of the 
Jacobian 3c, in order to check if £ ramifies in Q(u> k ) in the case when £ divides Atj~. 
On Jacobians generated by the complex multiplication method \17\ \7\ 13]. we know 
the Weil numbers in advance. Hence, Algorithm [17] is particularly well suited for 
such Jacobians. 

Fortunately, in most cases £ does not divide Ar k , and then we do not have to find 
a g fe -Weil number. And in fact, we do not even have to compute 4r k . To see this, 
notice that by Theorem [TO] the Weil polynomial of 3c is of the form 

P(X) = (X-1)(X- q)(X -a)(X- q/a) (mod £). 

Let <p be the g-power Frobenius endomorphism on 3c, and let Pfe(X) be the cha- 
racteristic polynomial of ip k . Since ip is diagonalizable on 3c M , it follows that 

P k (X) = {X- 1) 2 (X ~ a k ){X ~ l/a k ) (mod £). 

If £ divides 4r fe , then 3c[£] Q 3cQF qk ); cf. Theorem^ But then P k {X) = (X - l) 4 
(mod £). Hence, 

(2) i divides 4r fe if and only Hot = 1 (mod I), 
Assume a k = 1 (mod £). Then P k (X) = (X — l) 4 (mod i). Hence, 

(3) I ramifies in Q(uj k ) if and only if oj k £ Z; 

cf. |13l Proposition 8.3, p. 47]. Here, w is a g-Weil number of Re- 
consider the case when a k = 1 (mod i) and oj k G Z. Then uu — yfqe 1 ^ for 
some n E Z with < n < k. Assume k divides mn for some m < k. Then 
jim _ qm g Since the g-power Frobenius endomorphism is the identity on 
the F g -rational points on the Jacobian, it follows that uj 2rn = 1 (mod £), Hence, 
q m = 1 (mod £), i.e. k divides m. This is a contradiction. So n and k has no 
common divisors. Let £ = uj 2 /q = e~ *~ . Then £ is a primitive k th root of unity, 
and Q(£) C K. Since [K : Q] < 4 and [Q(0 : Q] = ^>(fc), where <j> is the Euler phi 
function, it follows that k < 12. Hence, 

(4) if a k = 1 (mod £), then w fc e Z if and only if k < 12. 

The criteria ([2]), J3]) and |(4]) provides the following efficient Algorithm [19] to check 
whether a given curve is of type G(£, q, k, r k ), and whether £ divides 4rfc. 

Algorithm 19. Let 3c be the Jacobian of a genus two curve C . Assume the odd 
prime number £ divides the number of ¥ q -rational points on 3c, and that £ divides 
neither q nor q — 1- Let k be the multiplicative order of q modulo £. 

(1) Compute the Weil polynomial P(X) of 3c- Let P(X) = 1^=1 (-^ — a i) 
(mod £). 

(2) If a* ^ 1 (mod£) for an i G {1,2,3,4}, then output "C G Q{£,q,k,T k ) 
and £ does not divide 4r k " and stop. 

(3) If k > 12 then output "C £ C(£, q, k, r k )" and stop. 

(4) Output "C G C(£,q,k,r k ) and £ divides 4r fe " and stop. 
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